[Daniel's week] August 9, 2024

Fri Aug 9 22:46:32 CEST 2024

Hello friends.

Another work week ends. Lots of stuff happened.

## feature window

We declared the feature window open and we have had an intense week. Just nine
days after the previous release we count 13 changes and 87 bugfixes already
landed in the git repository which has to be counted as an insane level of
activity.

## libcurl 24

I wrote up a post about how libcurl turned 24 years old [2], and then managed
to confuse myself on the date so I pressed publish a day early. Oh well, if
anyone asks I will insist I did it on purpose.

## inviting wcurl

I invited wcurl over to the curl project. We decided that transferring the
repository on GitHub is the best option since then it will work with redirects
from the old to the new name etc.

I was given admin access in the wcurl repository for this, only to immediately
realize that it was enough to have permission to do a transfer.

I then instead wanted to do the reverse and add Samuel (one of the two wcurl
maintainers) to the curl organization - only to realize that GitHub refuses me
that and instead insists I need to pay to add more users. I made me muchly
confused. I was not aware there was any cap - plus the fact that we were a few
more people now long ago so clearly whatever limit there is used to be higher.

It turns out (after some investigation) that we have this "enterprise account"
and not an ordinary open source one since the day in 2021 when we were "bumped
up" as a courtesy to get more GitHub action powers. I suppose that's why they
take the enterprise attitude towards us and not the open source friendly face.

After some back and forth we got the issue resolved Thursday morning. I then
invited Samuel into the curl org and in the Thursday afternoon he had the
wcurl repository moved over [5]. I then made the initial wcurl webpage [6] go
live, I updated everything curl about "What the project does" [7] and then
published a blog post [4] about the "adoption".

As a bonus I made a little logo for wcurl, visible on its webpage.

wcurl is now part of curl and I have submitted my first pull-requests for it
that also were merged.

## SIGPIPE bug

Turns out we shipped at least one rather annoying regression even in 8.9.1
which is a mistake in our handling of SIGPIPE [9]. The report and the
following fix were unfortunately a little too late in the cycle to make us do
yet another patch release so instead I alerted the curl-distros mailing list
about the (bug and the) fix so that at least distros have the chance to patch.

The SIGPIPE ignore management in libcurl is tricky to test. Sometimes of
course I cannot but to wonder if SIGPIPE is ever actually wanted in the
current world. Such a nuisance.

## CVE write-up

Dov Murik is the person behind the most recent curl security vulnerability and
he wrote up this interesting blog post about how he found it [1] and worked
with us on the case.

## hacking

I extended my email collection online with this new [8] entry from someone
thinking I was somehow involved in some kind of hacking. As usual it is not
clear exactly what has happened or how this person came to send the email in
my direction.

## getprog.ai

I saw a post on LinkedIn where this getprog.ai site was mentioned: "
Introducing our leaderboard of the leading experts in Comprehensive Software
Development and Security Technologies, curated based on their impressive
open-source contributions"[3].

It seems to be some kind of recruiting site, but the page there shows me
prominently listed and displayed and I certainly has not been in contact with
them. I have not given any permissions for this and I am not available for
recruitment. They seem to just have collected public data (and drawn some very
amusing conclusions such as that I am an expert on ldap).

## -h improvements

Among the flood of new stuff we have merged to ship in the next release is the
new help out put feature -h [option]. To help spread the news about new things
I wrote up a blog post about this [10]. I will try to do a few more the coming
weeks to cover more of the news.

## Coming up

- The feature window is open another week

## Links

[1] = https://dubek.space/posts/2024-08-04-curl-cve-2024-7264/
[2] = https://daniel.haxx.se/blog/2024/08/06/libcurl-is-24-years-old/
[3] = https://www.getprog.ai/technologies-page/comprehensive-software-development-and-security-technologies
[4] = https://daniel.haxx.se/blog/2024/08/08/curl-welcomes-wcurl-to-the-team/
[5] = https://github.com/curl/wcurl
[6] = https://curl.se/wcurl/
[7] = https://everything.curl.dev/project/does.html
[8] = https://bagder.github.io/emails/2024/2024-08-07.html
[9] = https://github.com/curl/curl/issues/14344
[10] = https://daniel.haxx.se/blog/2024/08/09/more-curl-help/

-- 

  / daniel.haxx.se